The National Agency for Fiscal Administration (NAFA) is responsible for administering taxes, customs and social insurance contributions in Romania. It operates on a national level, with headquarters in Bucharest and offices in all the regions and major cities, plus customs posts around the country.
Applications are at the heart of everything we do, keeping us connected and informed. They are infused into nearly all aspects of our daily lives. This fact has paved the way not only for greater innovation, but also for greater demands.
People expect fast, reliable, anytime access to services and information from the device of their choice. However, achieving greater performance levels introduces new considerations and complexities, as well as applications requiring additional assistance from the network. Functions such as network and application security, encryption, acceleration, or load balancing are there to make applications better, faster, more efficient, reliable, and secure. Collectively, these features are known as application services. In most cases, these services are supplied from devices called Application Delivery Controllers (ADC), which are usually specialized physical or virtual appliances acting as full application proxies.
With the demand for more applications and the subsequent need for application services, NAFA needed to implement a datacenter network to span across all the processing platforms (and NAFA’s legacy data processing systems) in a modern “private cloud” type system, as well as a comprehensive network and an application protection platform for the services provided (back-end and front-end services, applications, etc) and for all the network segments deployed in the ICT infrastructure. Using national budget and World Bank loan resources, NAFA trusted us to upgrade its ICT platforms as part of a comprehensive Revenue Administration Modernization Project (RAMP). Central to the ICT platform modernization was the development of three data centers (Primary, Secondary, and Data Warehouse Centers) in two physical locations (in Bucharest and Brașov).
As part of a 6 month delivery timeline, we supplied, installed and configured according to best practices an acceleration and protection subsystem with global server load-balancing and DNS firewall capabilities, as well as an application delivery/firewall subsystem for the whole NAFA data center and application ecosystem. The implementation team comprised of 5 highly skilled specialists, each cross-certified at the highest level on the corresponding technologies, so that we could meet the implementation standards required to successfully complete the project. The acceleration and protection subsystem with global server load-balancing and DNS firewall capabilities was based on F5 Networks related technologies, as well as the application delivery subsystem, so that we could achieve the highest performance and security, while meeting the complex requirements of the NAFA nation-wide application delivery infrastructure.
The network firewall subsystem was based on Palo Alto Networks related technologies, so that we can secure the complex network topologies spanning the data centers, without introducing any performance related issues. The whole security and acceleration stack implemented was sustained by a centralized logging subsystem based on Graylog and delivered via a high performance I/O subsystem based on NetApp unified storage subsystem, so that we can achieve NAFA’s log correlation requirements without introducing any performance and security related issues.
As part of a 3 year support services delivery timeline, we supplied NAFA with a dedicated technical support team comprised of 3 support engineers that delivered the training services for the responsible NAFA personnel, as well as a day to day incident response and operational support including, but not limited to:
- testing and the deployment of software and firmware patches and updates issued by the original product manufacturer;
- configuration maintenance and troubleshooting, overall stability and availability related fine-tuning;
- performance maintenance and troubleshooting, specific element performance related fine-tuning;
- integrity and security maintenance and audit, specific security related re-configuration;
- warranty repair services.
The implemented platform has offered NAFA a wide range of specific functional, technical and transactional performance capabilities that they had no prior means of achieving, such as:
• integrated global application service load-balancing and DNS management/security, for high availability in the application services front-end layer;
• integrated application delivery controller, identity-based access gateway and web application services security (WAF) capabilities, for extended processing capability in the application services DMZ layer;
• active traffic redistribution across server nodes inside each datacenter and active traffic redistribution across sites/datacenters;
• name resolution services security management;
• hardware offloading and acceleration of processed traffic;
• accelerated web application session processing;
• application service load-balancing and high-availability;
• integrated identity gateway and web application security that offers protection of NAFA provided application services based on Lotus Domino and Oracle Portal;
• functional integration in NAFA’s Software Defined Networking (SDN) and application service centric infrastructure;
• multi-tenancy support with integrated platform virtualization and segregation of allocated resources;
• capability to subsequently add hardware processing power to the configuration without additional licensing being required for the software features;
• multifactor user authentication with support for the use of qualified digital certificates;
• protection against web application specific attacks and against application level DoS and DDoS attacks;
• integration with the on-premise vulnerability identification and remediation management services;
• integrated support for ‘threat-intelligence’ services;
• automatic update of relevant information pertaining to attack identification and to application of the appropriate countermeasures;
• integration with database activity monitoring services for NAFA deployed Oracle Database Firewall and Guardium Database Security;
• correlation of operational logs, as well as of security logs generated.
The project supplied the security features for no less than 30,000 concurrent users across the 2 existing NAFA sites. The implemented platform supports, holds and operates with detailed information sets for at least 5 million external users and at least 50,000 internal and extranet users.
The implemented platform has offered NAFA a wide range of specific operational capabilities that they had no prior means of achieving, such as:
• rapid and reliable delivery of applications;
• specific optimizations for deployed web applications, so that the NAFA users have access to the applications they need—whenever they need them;
• automated and customized application delivery with programmable infrastructure;
• granular control of applications from connection and traffic to configuration and management;
• faster and simplified transition to SDN and cloud networks;
• realize operational consistency and comply with business needs across physical, virtual, and cloud environments with deployment flexibility and scalability;
• easy deployment and management with complete visibility into the NAFA applications;
• complete protection of the NAFA applications with maximum performance and visibility;
• high application availability by stopping attacks from any location;
• reduced the cost of security compliance;
• easy deployment of application security policies with minimal configuration;
• improved application security and performance as well as improved protection with external intelligence;
• automation of detection methods, as well as the quarantine/removal methods for the whole range of specific application and network threats;
• access control according to application type;
• configuration and enforcement of firewall policies based on users and user groups instead of or in addition to network zones and addresses;
• threat prevention services that protect the NAFA networks from viruses, worms, spyware, and other malicious traffic can be varied by application and traffic source;
• extensive reports, logs, and notification mechanisms that provide NAFA with detailed visibility into network application traffic and security events;
• high availability support that provides NAFA with automatic failover in the event of any hardware or software disruption.
The implemented project allowed NAFA to obtain increased IT department productivity by minimizing the reaction and resolution time in case of security incidents and improved productivity for all internal departments by minimizing or eliminating idle time of the internal/external application services.
It also increased the accessibility and performance rate for all internal and external services provided by the NAFA’s ITC infrastructure by drastically eliminating or reducing the idle periods for all internal and external application services. At the same time, it provided NAFA with reduced data leaks by preventing the automation of information system attacks and obtained an exponential reduction of reaction times for web applications protected by the implemented project.
None the less, it improved the relationship with the citizens and the clients of the application services delivered nation-wide by NAFA.
In achieving the complex performance, availability and security requirements put forth by the NAFA, we employed various products and technologies supplied by our core technology partners:
For the pdf version of this article please click here.